module pagure 1.3;

require {
    type gitosis_var_lib_t;
    type httpd_log_t;
    type httpd_t;
    type http_port_t;
    type ldconfig_exec_t;
    type postfix_cleanup_t;
    type postfix_smtpd_t;
    type sshd_t;
    type var_log_t;
    type var_run_t;
    type var_t;
    class dir { add_name remove_name write };
    class file { create link setattr write execute execute_no_trans getattr map open read rename unlink ioctl lock };
    class process execmem;
    class sock_file write;
    class tcp_socket name_connect;
}

allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write rename };

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_t gitosis_var_lib_t:file map;
allow httpd_t httpd_log_t:file { rename unlink };

#!!!! This avc is allowed in the current policy
allow httpd_t self:process execmem;
allow httpd_t var_log_t:file { open rename unlink };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_t var_t:file map;
allow httpd_t var_t:file { getattr open read ioctl };
allow httpd_t var_t:file { lock unlink write };

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t var_run_t:sock_file write;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t var_run_t:sock_file write;

#============= sshd_t ==============

#!!!! This avc is allowed in the current policy
allow sshd_t http_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow sshd_t ldconfig_exec_t:file map;
allow sshd_t ldconfig_exec_t:file { execute execute_no_trans open read };

